Re: authmeth-16 notes

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Howard Chu writes:
> Section 3.1.5 is definitely better. A couple of minor points:
>    rule #3, "leftmost RDN" is probably a bad choice. "least significant
> RDN" might be better.

Simply "the RDN" (of the subjectName field) seems clearer to me.

> X.500 never specified a left/right display order for DNs, it only
> defines them as a sequence in descending order from the root down. It
> was common practice with X.500 tools to display DNs in left-to-right
> order, like a filesystem: /rootrdn/nextrdn.../lastrdn and it was common
> for packages like (older versions of) OpenSSL to use this order as well
> when displaying DNs in X.509 certificates. While LDAP specifies a
> right-to-left order for DNs, people working with these older certificate
> management tools may still be presented with X.500-style DNs. This
> ordering ambiguity still causes a lot of confusion for users and
> administrators. I wonder if it would be worthwhile to add an explanatory
> note about this point to Appendix A.

Sounds like a good idea.  Or a section under TLS.
Also, the quoting rules probably differ from LDAP's rules.
Something like this?

  "Note that the TLS implementation may display DNs in certificates
  according to X.509's rules rather than LDAP's rules.  For example,
  RDNs in a DN may be ordered left-to-right instead of right-to-left."

-- 
Hallvard